Winter 2025

Insightful lessons can be learned by reviewing professional liability issues. With this in mind, Gallagher Affinity provides this column for your review. For more information about liability issues, contact Irene Walton.

CPAs in practice hold comprehensive insurance coverage to help them mitigate professional risks. One of the fastest-growing areas of threat for CPAs is cybercrime. Firms of all sizes make attractive targets for digital thieves seeking to worm their way into networks to steal valuable financial or personally identifiable information (PII). The effects of these criminal acts are becoming more costly – financially and reputationally – for CPAs.

According to insights from IBM and the Ponemon Institute, the global average data breach cost surged to $4.88 million in 2024, a 10% increase over last year and the highest total ever.¹

A major cyberevent can damage your firm’s reputation, erode client trust, and harm your financial success. Existing accountant professional liability (APL) policies might provide some cyber protection, but don’t brush away the enhanced benefits of separate cyber coverage. With the stakes rising, it is worthy of consideration.

Accounting for Cyberthreats

Cybercriminals aren’t the laser-dodging expert infiltrators we see in movies. Often, they exploit human trust and misrepresent themselves with deceptive emails, malicious attachments, and fraudulent websites.

According to the IBM and Ponemon Institute report, the financial industry has the second-highest average breach costs, totaling more than $6.08 million in 2024 compared to $5.9 million the year prior. CPAs should approach the issue of a cybersecurity breach not as an if event, but rather as a when event.

More APL insurance policies are integrating aspects of cyber coverage to support this heightened concern. While APL can provide some peace of mind, it might not be comprehensive enough to address the heightened exposure that comes with being a CPA.

APL Insurance and Cyberevents

Busy CPAs often seek efficiencies in their business. Sometimes, however, the cost-efficiency approach is applied to insurance planning, comparing increasing insurance rates against all the other rising costs of doing business. Sadly, cutting costs in your cyber coverage can result in more headaches and more expenses down the road.

As cyberattacks and hacking events become commonplace, some carriers have added some cyber coverage into APL insurance plans. It is important to note, though, that professional liability insurance – which APLs are – is truly focused on professional liabilities.

There are circumstances where you can fall into an uncomfortable cyber gap in your policy. This will vary from carrier to carrier, but here are the top things to know about the coverage you receive:

• First-party expense exclusions – Businesses incur hefty costs immediately following a cyberevent. These first-party expenses include hiring forensic IT experts to determine the cause of the attack, paying outside consultants to repair the damage to your systems, and notifying clients. Third-party expenses, meanwhile, include important response efforts, such as hiring an attorney to defend against litigation from upset clients and paying out any settlements or judgments arising from the incident. Using your APL for cyberattack coverage means you’ll only get assistance when third-party losses occur due to professional mistakes or negligence while quickly eroding your policy limit.
• Data breach assistance gaps – Securing cyberevent coverage within your professional liability policy means the benefits will only take effect in certain situations. If your firm fails to secure client data properly, works with a lackluster cybersecurity partner, or poorly maintains computer systems, you could experience a data breach. Because these are all instances of professional negligence, you would be covered under your APL policy. With a skilled hacker, however, you would have to weather the costs independently. According to Verizon’s 2024 Data Breach Investigations Report, the financial and insurance sector remains consistent in committing errors leading to data breaches. While misdelivery, misconfiguration, and loss are the top error varieties in this industry, not every data breach originates via human error.²
• Minimal risk management benefits – Your professional liability policy contains benefits designed to help you manage your risks as a CPA. From engagement letter review to advice on client screening and preclaims assistance, these insights help prevent claims before they are filed. A blended policy, unfortunately, doesn’t offer the same resources in the cybersecurity sphere. You would have to secure a standalone policy to receive similar benefits, such as access to claims hotlines and cybersecurity training.
• Strained policy limits – Carrying a blended policy means all liability claims must fall under your yearly policy limit. As cyberevent costs soar, you could easily run over your limit and have to pay the difference out of pocket. Let’s say your firm experiences a cyberattack due to negligence in February. You use $500,000 of your $750,000 APL policy to cover costs. Would a slim margin of $250,000 be enough to protect your firm for the rest of the year?

The Case for Separate Policies

From Nov. 1, 2022, to Oct. 31, 2023, more than 3,000 data breach incidents targeted the financial and insurance industries, with over 1,000 confirmed instances of data disclosure, according to the Verizon report.³ Financial motivations are high among cybercriminals targeting this industry, accounting for at 98% of all attacks (2% is attributed to espionage).

In the face of these concerted efforts among cybercriminals, it is probably past time to consider a specialized policy to safeguard against emerging cyberthreats and help you respond efficiently.

Standalone cyberevent coverage offers the broadest protection, containing elements that more general policies typically exclude. Most significant among these are first-party protections, which can accomplish the following after a breach:

• Finding and closing vulnerabilities – Standalone coverage will help you retain experts to determine the cause while outside consultants repair affected technology. This helps your business quickly resume operations.
• Notifying and assisting those affected – You don’t want news of a breach to take your clients by surprise in the media. Failure to notify affected clients quickly enough can also lead to U.S. Securities and Exchange Commission action and lawsuits from unhappy clients. Cyberevent coverage includes notification and credit-monitoring services to affected individuals and businesses.
• Resuming system access – Ransomware is a common line of attack for cybercriminals targeting financial firms. According to Sophos’s The State of Ransomware 2024 report, the average ransom demand among respondents was more than $4.3 million (mean) and $2 million (median).⁴ Your cyber policy can pay ransoms to help your firm regain access to computer systems and files.
• Repairing a damaged reputation – Cyberattacks are alarming to everyone, businesses and customers alike. The crisis communications and public relations coverage in cyberevent policies can help you reconnect with clients and regain their trust.
• Recouping business disruption losses – A cyberattack can turn your entire business on its head, resulting in lost revenue while you cannot operate. Cyber policies can help maintain your firm’s finances, delivering powerful peace of mind.

With first- and third-party protections, you can insulate your business against most expenses incurred following a breach. Your policy can also contain additional agreements designed to fill costly gaps. For instance, a carrier might define a privacy breach as a violation of any privacy rights, covering information not typically included in state or federal definitions of PII and protected health information. This way, you’re safeguarded against falling into an expensive policy exclusion.

You can also receive benefits from your cyber policy before an event occurs. With the rise of generative artificial intelligence, cybercrimes are becoming easier than ever. Working with a trusted and knowledgeable cyber insurance carrier means you’ll have insight into emerging trends like this, as well as risk mitigation tactics.

While cyber protections in an existing professional liability policy can be a safety net, the comprehensive safeguarding of your firm from all angles requires a standalone policy. Blended and bundled coverage can save money in the short term, but the consequences of a breach can go far beyond what you might have saved. As cyberattacks become costlier, the benefits of a dedicated policy outweigh the price of the premium. However, with the protection of both APL and cyber liability insurance, CPAs can confidently navigate the increasingly treacherous waters of the financial industry.

¹ IBM and Ponemon Institute, Cost of a Data Breach Report 2024. 
² Verizon Business, 2024 Data Breach Investigations Report. 
³ Ibid.
⁴ Sophos Ltd., The State of Ransomware 2024.

Lauren Pitonyak is an account executive with Gallagher Affinity in Mount Laurel, N.J. She can be reached at lauren_pitonyak@ajg.com.

^{The information contained herein is offered as insurance industry insight, and is provided as an overview of current market risks and available coverages. It is intended for discussion purposes only. This column is not intended to offer legal advice or client-specific risk management advice, and any description of insurance coverages is not meant to interpret specific coverages your company may already have in place or that may be generally available. Actual insurance policies must always be consulted for full coverage details and analysis.}

Insightful lessons can be learned by reviewing professional liability issues. With this in mind, Gallagher Affinity provides this column for your review. For more information about liability issues, contact Irene Walton.

CPAs in practice hold comprehensive insurance coverage to help them mitigate professional risks. One of the fastest-growing areas of threat for CPAs is cybercrime. Firms of all sizes make attractive targets for digital thieves seeking to worm their way into networks to steal valuable financial or personally identifiable information (PII). The effects of these criminal acts are becoming more costly – financially and reputationally – for CPAs.

According to insights from IBM and the Ponemon Institute, the global average data breach cost surged to $4.88 million in 2024, a 10% increase over last year and the highest total ever.¹

A major cyberevent can damage your firm’s reputation, erode client trust, and harm your financial success. Existing accountant professional liability (APL) policies might provide some cyber protection, but don’t brush away the enhanced benefits of separate cyber coverage. With the stakes rising, it is worthy of consideration.

Accounting for Cyberthreats

Cybercriminals aren’t the laser-dodging expert infiltrators we see in movies. Often, they exploit human trust and misrepresent themselves with deceptive emails, malicious attachments, and fraudulent websites.

According to the IBM and Ponemon Institute report, the financial industry has the second-highest average breach costs, totaling more than $6.08 million in 2024 compared to $5.9 million the year prior. CPAs should approach the issue of a cybersecurity breach not as an if event, but rather as a when event.

More APL insurance policies are integrating aspects of cyber coverage to support this heightened concern. While APL can provide some peace of mind, it might not be comprehensive enough to address the heightened exposure that comes with being a CPA.

APL Insurance and Cyberevents

Busy CPAs often seek efficiencies in their business. Sometimes, however, the cost-efficiency approach is applied to insurance planning, comparing increasing insurance rates against all the other rising costs of doing business. Sadly, cutting costs in your cyber coverage can result in more headaches and more expenses down the road.

As cyberattacks and hacking events become commonplace, some carriers have added some cyber coverage into APL insurance plans. It is important to note, though, that professional liability insurance – which APLs are – is truly focused on professional liabilities.

There are circumstances where you can fall into an uncomfortable cyber gap in your policy. This will vary from carrier to carrier, but here are the top things to know about the coverage you receive:

• First-party expense exclusions – Businesses incur hefty costs immediately following a cyberevent. These first-party expenses include hiring forensic IT experts to determine the cause of the attack, paying outside consultants to repair the damage to your systems, and notifying clients. Third-party expenses, meanwhile, include important response efforts, such as hiring an attorney to defend against litigation from upset clients and paying out any settlements or judgments arising from the incident. Using your APL for cyberattack coverage means you’ll only get assistance when third-party losses occur due to professional mistakes or negligence while quickly eroding your policy limit.
• Data breach assistance gaps – Securing cyberevent coverage within your professional liability policy means the benefits will only take effect in certain situations. If your firm fails to secure client data properly, works with a lackluster cybersecurity partner, or poorly maintains computer systems, you could experience a data breach. Because these are all instances of professional negligence, you would be covered under your APL policy. With a skilled hacker, however, you would have to weather the costs independently. According to Verizon’s 2024 Data Breach Investigations Report, the financial and insurance sector remains consistent in committing errors leading to data breaches. While misdelivery, misconfiguration, and loss are the top error varieties in this industry, not every data breach originates via human error.²
• Minimal risk management benefits – Your professional liability policy contains benefits designed to help you manage your risks as a CPA. From engagement letter review to advice on client screening and preclaims assistance, these insights help prevent claims before they are filed. A blended policy, unfortunately, doesn’t offer the same resources in the cybersecurity sphere. You would have to secure a standalone policy to receive similar benefits, such as access to claims hotlines and cybersecurity training.
• Strained policy limits – Carrying a blended policy means all liability claims must fall under your yearly policy limit. As cyberevent costs soar, you could easily run over your limit and have to pay the difference out of pocket. Let’s say your firm experiences a cyberattack due to negligence in February. You use $500,000 of your $750,000 APL policy to cover costs. Would a slim margin of $250,000 be enough to protect your firm for the rest of the year?

The Case for Separate Policies

From Nov. 1, 2022, to Oct. 31, 2023, more than 3,000 data breach incidents targeted the financial and insurance industries, with over 1,000 confirmed instances of data disclosure, according to the Verizon report.³ Financial motivations are high among cybercriminals targeting this industry, accounting for at 98% of all attacks (2% is attributed to espionage).

In the face of these concerted efforts among cybercriminals, it is probably past time to consider a specialized policy to safeguard against emerging cyberthreats and help you respond efficiently.

Standalone cyberevent coverage offers the broadest protection, containing elements that more general policies typically exclude. Most significant among these are first-party protections, which can accomplish the following after a breach:

• Finding and closing vulnerabilities – Standalone coverage will help you retain experts to determine the cause while outside consultants repair affected technology. This helps your business quickly resume operations.
• Notifying and assisting those affected – You don’t want news of a breach to take your clients by surprise in the media. Failure to notify affected clients quickly enough can also lead to U.S. Securities and Exchange Commission action and lawsuits from unhappy clients. Cyberevent coverage includes notification and credit-monitoring services to affected individuals and businesses.
• Resuming system access – Ransomware is a common line of attack for cybercriminals targeting financial firms. According to Sophos’s The State of Ransomware 2024 report, the average ransom demand among respondents was more than $4.3 million (mean) and $2 million (median).⁴ Your cyber policy can pay ransoms to help your firm regain access to computer systems and files.
• Repairing a damaged reputation – Cyberattacks are alarming to everyone, businesses and customers alike. The crisis communications and public relations coverage in cyberevent policies can help you reconnect with clients and regain their trust.
• Recouping business disruption losses – A cyberattack can turn your entire business on its head, resulting in lost revenue while you cannot operate. Cyber policies can help maintain your firm’s finances, delivering powerful peace of mind.

With first- and third-party protections, you can insulate your business against most expenses incurred following a breach. Your policy can also contain additional agreements designed to fill costly gaps. For instance, a carrier might define a privacy breach as a violation of any privacy rights, covering information not typically included in state or federal definitions of PII and protected health information. This way, you’re safeguarded against falling into an expensive policy exclusion.

You can also receive benefits from your cyber policy before an event occurs. With the rise of generative artificial intelligence, cybercrimes are becoming easier than ever. Working with a trusted and knowledgeable cyber insurance carrier means you’ll have insight into emerging trends like this, as well as risk mitigation tactics.

While cyber protections in an existing professional liability policy can be a safety net, the comprehensive safeguarding of your firm from all angles requires a standalone policy. Blended and bundled coverage can save money in the short term, but the consequences of a breach can go far beyond what you might have saved. As cyberattacks become costlier, the benefits of a dedicated policy outweigh the price of the premium. However, with the protection of both APL and cyber liability insurance, CPAs can confidently navigate the increasingly treacherous waters of the financial industry.

¹ IBM and Ponemon Institute, Cost of a Data Breach Report 2024. 
² Verizon Business, 2024 Data Breach Investigations Report. 
³ Ibid.
⁴ Sophos Ltd., The State of Ransomware 2024.

Lauren Pitonyak is an account executive with Gallagher Affinity in Mount Laurel, N.J. She can be reached at lauren_pitonyak@ajg.com.

^{The information contained herein is offered as insurance industry insight, and is provided as an overview of current market risks and available coverages. It is intended for discussion purposes only. This column is not intended to offer legal advice or client-specific risk management advice, and any description of insurance coverages is not meant to interpret specific coverages your company may already have in place or that may be generally available. Actual insurance policies must always be consulted for full coverage details and analysis.}